> this means that I incur the penalty of a network call (for auth) once every 30mins or 1hr or so.
Correct. You will be talking to the hosted version everytime a new session is created as well. However as you said, session verifications do not require a network call and take < 1 MS.
> I'm guessing I can install the self hosted one on the same server as the API gateway, so little to no penalty there.
Yes. You can. However, if you are using AWS and us-east-1 region, using our hosted version there would give you the same latency as if you were hosting it yourself. If you have a different cloud provider or a different region which we don't support yet, then yes, you could use the self hosted one for minimum latency.